48 lines
1.6 KiB
Diff
48 lines
1.6 KiB
Diff
From 6790f1869a357b7da1d7bae006d32e14821fea5d Mon Sep 17 00:00:00 2001
|
|
From: Felipe Rosa de Almeida <feliperalmeida@users.noreply.github.com>
|
|
Date: Sun, 16 Jan 2022 19:11:21 -0300
|
|
Subject: [PATCH] Forbid lambda expressions in ImageMath.eval()
|
|
|
|
Conflict:NA
|
|
Reference:https://github.com/python-pillow/Pillow/pull/5963/commits/6790f1869a357b7da1d7bae006d32e14821fea5d
|
|
|
|
---
|
|
Tests/test_imagemath.py | 5 +++--
|
|
src/PIL/ImageMath.py | 3 +++
|
|
2 files changed, 6 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
|
|
index 8e87339..7bce9e9 100644
|
|
--- a/Tests/test_imagemath.py
|
|
+++ b/Tests/test_imagemath.py
|
|
@@ -52,9 +52,10 @@ def test_ops():
|
|
assert pixel(ImageMath.eval("float(B)**33", images)) == "F 8589934592.0"
|
|
|
|
|
|
-def test_prevent_exec():
|
|
+@pytest.mark.parametrize("expression", ("exec('pass')", "(lambda: None)()"))
|
|
+def test_prevent_exec(expression):
|
|
with pytest.raises(ValueError):
|
|
- ImageMath.eval("exec('pass')")
|
|
+ ImageMath.eval(expression)
|
|
|
|
|
|
def test_logical():
|
|
diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
|
|
index 06bea80..64f9c5c 100644
|
|
--- a/src/PIL/ImageMath.py
|
|
+++ b/src/PIL/ImageMath.py
|
|
@@ -250,6 +250,9 @@ def eval(expression, _dict={}, **kw):
|
|
for name in code.co_names:
|
|
if name not in args and name != "abs":
|
|
raise ValueError(f"'{name}' not allowed")
|
|
+ for const in code.co_consts:
|
|
+ if getattr(const, "co_name", None) == "<lambda>":
|
|
+ raise ValueError("Lambda expressions are not allowed")
|
|
|
|
out = builtins.eval(expression, {"__builtins": {"abs": abs}}, args)
|
|
try:
|
|
--
|
|
2.27.0
|
|
|